import "elf"

rule enterpriseapps2 {
  meta:
    author = "Tim Brown @timb_machine"
    description = "Hunts for enterprise app binaries"
  strings:
    $db2 = "db2" nocase
    $oracle = "oracle" nocase
    $mysql = "mysql" nocase
    $mqm = "mqm" nocase
    $tivoli = "tivoli" nocase
    $patrol = "patrol" nocase
    $websphere = "websphere" nocase
    $weblogic = "weblogic" nocase
    $sap = "sap" nocase
    $tomcat = "tomcat" nocase
    $libca = "libc.a"
    $text = ".text"
    $data = ".data"
  condition:
    ($db2 or $oracle or $mysql or $mqm or $tivoli or $patrol or $websphere or $weblogic or $sap or $tomcat) and ((elf.number_of_sections >= 1) or ($libca and $text and $data))
}
